.github/workflows/deploy.yml

name: deploy

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

on:
  workflow_dispatch:
  push:
    branches:
      - lab
      - main
      - published

# these permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
  id-token: write
  contents: read

jobs:
  publish:
    runs-on: ubuntu-24.04
    if: github.repository_owner == 'docker'
    steps:
      -
        name: Prepare
        run: |
          HUGO_ENV=development
          DOCS_AWS_REGION=us-east-1
          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
            HUGO_ENV=staging
            DOCS_URL="https://docs-stage.docker.com"
            DOCS_AWS_IAM_ROLE="arn:aws:iam::710015040892:role/stage-docs-docs.docker.com-20220818202135984800000001"
            DOCS_S3_BUCKET="stage-docs-docs.docker.com"
            DOCS_S3_CONFIG="s3-config.json"
            DOCS_CLOUDFRONT_ID="E1R7CSW3F0X4H8"
            DOCS_LAMBDA_FUNCTION_REDIRECTS="DockerDocsRedirectFunction-stage"
            DOCS_SLACK_MSG="Successfully deployed docs-stage from main branch. $DOCS_URL"
          elif [ "${{ github.ref }}" = "refs/heads/published" ]; then
            HUGO_ENV=production
            DOCS_URL="https://docs.docker.com"
            DOCS_AWS_IAM_ROLE="arn:aws:iam::710015040892:role/prod-docs-docs.docker.com-20220818202218674300000001"
            DOCS_S3_BUCKET="prod-docs-docs.docker.com"
            DOCS_S3_CONFIG="s3-config.json"
            DOCS_CLOUDFRONT_ID="E228TTN20HNU8F"
            DOCS_LAMBDA_FUNCTION_REDIRECTS="DockerDocsRedirectFunction-prod"
            DOCS_SLACK_MSG="Successfully deployed docs from published branch. $DOCS_URL"
          elif [ "${{ github.ref }}" = "refs/heads/lab" ]; then
            HUGO_ENV=lab
            DOCS_URL="https://docs-labs.docker.com"
            DOCS_AWS_IAM_ROLE="arn:aws:iam::710015040892:role/labs-docs-docs.docker.com-20220818202218402500000001"
            DOCS_S3_BUCKET="labs-docs-docs.docker.com"
            DOCS_S3_CONFIG="s3-config.json"
            DOCS_CLOUDFRONT_ID="E1MYDYF65FW3HG"
            DOCS_LAMBDA_FUNCTION_REDIRECTS="DockerDocsRedirectFunction-labs"
          else
            echo >&2 "ERROR: unknown branch ${{ github.ref }}"
            exit 1
          fi
          SEND_SLACK_MSG="true"
          if [ -z "$DOCS_AWS_IAM_ROLE" ] || [ -z "$DOCS_S3_BUCKET" ] || [ -z "$DOCS_CLOUDFRONT_ID" ] || [ -z "$DOCS_SLACK_MSG" ]; then
            SEND_SLACK_MSG="false"
          fi
          echo "BRANCH_NAME=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
          echo "HUGO_ENV=$HUGO_ENV" >> $GITHUB_ENV
          echo "DOCS_URL=$DOCS_URL" >> $GITHUB_ENV
          echo "DOCS_AWS_REGION=$DOCS_AWS_REGION" >> $GITHUB_ENV
          echo "DOCS_AWS_IAM_ROLE=$DOCS_AWS_IAM_ROLE" >> $GITHUB_ENV
          echo "DOCS_S3_BUCKET=$DOCS_S3_BUCKET" >> $GITHUB_ENV
          echo "DOCS_S3_CONFIG=$DOCS_S3_CONFIG" >> $GITHUB_ENV
          echo "DOCS_CLOUDFRONT_ID=$DOCS_CLOUDFRONT_ID" >> $GITHUB_ENV
          echo "DOCS_LAMBDA_FUNCTION_REDIRECTS=$DOCS_LAMBDA_FUNCTION_REDIRECTS" >> $GITHUB_ENV
          echo "DOCS_SLACK_MSG=$DOCS_SLACK_MSG" >> $GITHUB_ENV
          echo "SEND_SLACK_MSG=$SEND_SLACK_MSG" >> $GITHUB_ENV
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Build website
        uses: docker/bake-action@v5
        with:
          files: |
            docker-bake.hcl
          targets: release
          set: |
            *.cache-from=type=gha,scope=deploy-${{ env.BRANCH_NAME }}
            *.cache-to=type=gha,scope=deploy-${{ env.BRANCH_NAME }},mode=max
          provenance: false
      -
        name: Configure AWS Credentials
        if: ${{ env.DOCS_AWS_IAM_ROLE != '' }}
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ env.DOCS_AWS_IAM_ROLE }}
          aws-region: ${{ env.DOCS_AWS_REGION }}
      -
        name: Upload files to S3 bucket
        if: ${{ env.DOCS_S3_BUCKET != '' }}
        run: |
          aws --region ${{ env.DOCS_AWS_REGION }} s3 sync \
            --acl public-read \
            --delete \
            --exclude "*" \
            --include "*.webp" \
            --metadata-directive="REPLACE" \
            --no-guess-mime-type \
            --content-type="image/webp" \
            public s3://${{ env.DOCS_S3_BUCKET }}/
          aws --region ${{ env.DOCS_AWS_REGION }} s3 sync \
            --acl public-read \
            --delete \
            --exclude "*.webp" \
            public s3://${{ env.DOCS_S3_BUCKET }}/
      -
        name: Update S3 config
        if: ${{ env.DOCS_S3_BUCKET != '' && env.DOCS_S3_CONFIG != '' }}
        uses: docker/bake-action@v5
        with:
          files: |
            docker-bake.hcl
          targets: aws-s3-update-config
          set: |
            *.cache-from=type=gha,scope=releaser
        env:
          AWS_REGION: ${{ env.DOCS_AWS_REGION }}
          AWS_S3_BUCKET: ${{ env.DOCS_S3_BUCKET }}
          AWS_S3_CONFIG: ${{ env.DOCS_S3_CONFIG }}
      -
        name: Update Cloudfront config
        if: ${{ env.DOCS_CLOUDFRONT_ID != '' }}
        uses: docker/bake-action@v5
        with:
          files: |
            docker-bake.hcl
          targets: aws-cloudfront-update
        env:
          AWS_REGION: us-east-1 # cloudfront and lambda edge functions are only available in us-east-1 region
          AWS_CLOUDFRONT_ID: ${{ env.DOCS_CLOUDFRONT_ID }}
          AWS_LAMBDA_FUNCTION: ${{ env.DOCS_LAMBDA_FUNCTION_REDIRECTS }}
      -
        name: Invalidate Cloudfront cache
        if: ${{ env.DOCS_CLOUDFRONT_ID != '' }}
        run: |
          aws cloudfront create-invalidation --distribution-id ${{ env.DOCS_CLOUDFRONT_ID }} --paths "/*"
        env:
          AWS_REGION: us-east-1 # cloudfront is only available in us-east-1 region
          AWS_MAX_ATTEMPTS: 5
      -
        name: Send Slack notification
        if: ${{ env.SEND_SLACK_MSG == 'true' }}
        run: |
          curl -X POST -H 'Content-type: application/json' --data '{"text":"${{ env.DOCS_SLACK_MSG }}"}' ${{ secrets.SLACK_WEBHOOK }}